Once the ACL checking procedure finds entries that apply to a request for access to an object, it needs to determine if the request is an unauthenticated request. If the application server receives an access request from an unauthenticated user, it applies the unauthenticated mask to the matching ACL entries. Only those permissions specified in the unauthenticated mask and in the matching ACL entries can be granted.
See ACL Checking and the General Mask for information about applying the general mask.